Credit unions may be becoming slightly more popular targets for fraudsters. According to Bedford, Mass.-based RSA, an information security company, credit unions in September experienced almost half of phishing attacks on financial institutions across the country.
Phishing – a scam that uses spam e-mails to convince customers to give up their personal information – is also a problem for credit unions in Connecticut. In fact, the Connecticut Credit Union Association was targeted by a phishing scam last week. President and Chief Executive Officer Kevin Chandler received an e-mail on the morning of Oct. 9 that purported to be from the Credit Union Association and asked him to click on a link and enter some information. Chandler said he knew immediately it was a phishing attack, and he set about hiring a company to shut down the fraudulent site.
The site was gone within 24 hours, but over the next few days, Chandler learned how potentially dangerous phishing can be. For the most part, people recognized it for what it was, and called the association to report the fraud.
“The really good news is that people are much more savvy to this than they used to be,” said Chandler, who added that he received about a dozen of those calls.
But the really worrisome part of the scam was that, even though the association is not an actual financial institution and holds no accounts, he also got several calls after the fraudulent site had been shut down from people who were concerned they could not submit the requested information.
Such a scam can be particularly damaging to people who are especially sensitive about their credit and want to make sure they are paying all their bills on time, Chandler said. If they receive an e-mail from a reputable financial institution or company saying they have a late payment or an account that will be shut down if they do not act, and if they have not been educated about scams like phishing, they often fall prey to the scheme.
Chandler said he received a phone call from one such man who was insistent that he had to get into the fraudulent site and enter his information, and it took a lot of explaining before the man understood the nature of the fraud.
“That’s when I realized this is a real potential problem,” Chandler noted.
‘A Teaching Moment’
The Connecticut Credit Union Association also took the opportunity to educate the public, as well as its member credit unions, about phishing.
“This was a teaching moment as well as a maddening moment for us,” Chandler said.
The problem is the same for banks and credit unions, as well as a plethora of other companies, like eBay, which often are targeted by phishers.
“They look for what people would think would be a trustworthy institution,” he said.
Phishers are incredibly hard to catch. Chandler and others at his organization discovered that the Web site purporting to be theirs originated in Japan, and was routed through Canada.
“It’s a precarious problem because they’re so mobile and so quick,” Chandler said. “There’s not much an institution can do about it, but they can be quick and diligent in shutting them down.”
According to RSA, 48 percent of phishing attacks on the nation’s financial institutions in September were against credit unions. That number was up from 44 percent in August.
Phishing attacks overall also increased in September, according to RSA. The company has tracked a 48 percent increase in the number of attacks over the past four months, and RSA’s experts said they expect the number to continue to rise through the end of the year.
Although the overall number of attacks has risen recently, the number of brands that have been attacked has dropped and stabilized during the past two months, according to RSA’s September report. That indicates the fraudsters are content with their current targets and their gains from those targets.
“Most likely, as additional financial institutions put anti-phishing measures in place and fix system vulnerabilities, the number of brands [attacked] will increase again,” according to RSA.
The Anti-Phishing Working Group has indicated that in August, it received more than 26,000 phishing reports and more than 10,000 unique phishing Web sites. Almost 150 brands were hijacked by phishing campaigns, and 17 brands made up the top 80 percent of phishing campaigns during the month.
The United States continues to host most of the phishing Web sites, according to the Anti-Phishing Working Group. Most sites remain online for 4.5 days, but 31 days was the longest time reported for a site to remain on the Web.